New Exchange fixes change permissions model, may disrupt Blackberry, Goodlink, and other services

by Bharat Suneja

A recent change in the Exchange permissions model may disrupt Blackberry, Goodlink and other services. Many folks may have already applied hotfixes that changed the behavior of “Send As” and “Full Mailbox Access” permissions. Here’s a brief overview.

What: Separation of “Full Mailbox Access” and “Send As” permissions.Why: Earlier, users with “Full Mailbox Access” permission on a mailbox were implicitly provided the “Send As” permission. This allowed them to send mail as that user. Services like Blackberry Enterprise Server and Goodlink commonly use Full Mailbox Access to be able to send mail as a user. This was a security issue for many customers and the permissions needed to be separated. With this change, users/services will now explicitly need “Send As” permission on a given user’s mailbox to be able to send as that user.Which versions: The above change was applied to the STORE.EXE file. You can tell by the version of STORE.EXE – if the version you have is equal to or later than the following, this change has already been made in your environment.– Exchange 2000 SP3: version 6619.4 or later (first made available in hotfix KB 915358)– Exchange 2003 SP1: version 7233.51 or later (first made available in hotfix KB 895949)– Exchange 2003 SP2: version 7650.23 or later (first made available in hotfix KB 895949)

(Note About Today’s Security Bulletin MS06-019: The security patch released today in Microsoft Security Bulletin MS06-019 also contains this fix for Exchange Server 2003 SP1. If you use Microsoft Update on your Exchange Servers, this will be applied as part of critical fixes. If you’re on Exchange Server 2003 SP2, the SP2 version of the patch does not update Store.exe).Do I need to do anything?: If your users or accounts used by services like Blackberry or Goodlink need to impersonate the user and use the “Full Mailbox Access” permission to do so, they will need to be assigned “Send As” permission explicitly.

Microsoft has included a script in KB 912918 that will dump all user accounts that have “Full Mailbox Access” permission. You can browse through the list and determine if any of those accounts need to impersonate users and therefore explicitly require “Send As” permission. You can then use the script to assign “Send As” permission to those accounts.

Are there any exceptions?: Yes, indeed. The following are exceptions where “Send As” permission is not required:– the mailbox owner does not require “Send As” permission on its own mailbox– Associated External Account – typically used in cross-Forest scenarios and while you’re in mixed-mode with accounts in a NT 4.0 domain and Exchange in an AD Forest– a delegate account that also has “Full Mailbox Access” permission